Arbitrary memory address read vulnerability with Regex search

2024-04-2221:00:00

RubySec

rubysec.com

arbitrary memory vulnerability

ruby regex

heap data extraction

software update

compatibility fix

7.3 High

AI Score

Confidence

High

0 Low

EPSS

Percentile

0.0%

JSON

If attacker-supplied data is provided to the Ruby regex compiler, it is
possible to extract arbitrary heap data relative to the start of the text,
including pointers and sensitive strings.

We recommend to update the Ruby to version 3.3.1 or later. In order to ensure compatibility with older Ruby series, you may update as follows instead:

For Ruby 3.0 users: Update to 3.0.7
For Ruby 3.1 users: Update to 3.1.5
For Ruby 3.2 users: Update to 3.2.4
For Ruby 3.3 users: Update to 3.3.1

CPENameOperatorVersion
rubyle3.0.6
rubyge3.1.0
rubyle3.1.4
rubyge3.2.0
rubyle3.2.3
rubyge3.3.0
rubylt3.3.1

Name	Operator	Version
ruby	le	3.0.6
ruby	ge	3.1.0
ruby	le	3.1.4
ruby	ge	3.2.0
ruby	le	3.2.3
ruby	ge	3.3.0
ruby	lt	3.3.1

References

www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/